Protect Yourself With Wasabi

Have you ever launched into a post and started to wonder, should I spend my valuable time reading the rest of this?  Well, this could be one of those and I’m going to help you out before you get too far.

sql injection

Use your safety goggles when working on your site

I can think of only a few reasons why you’d want to read this post.  If you don’t fit with any of these, you can stop.  Of course, if you don’t fit, but read it anyhow, let me know why!  Your thirst for random knowledge is high and you and I might be more alike than not and, well, for that I’m very sorry for you!  :>

Reasons why you want to keep reading

1. You have a WordPress blog or web site AND use your own database for your own stuff, say a custom guest book or something.

2. You hear about all those hackers that steal all that stuff from someone’s system or database and are just curious how that happens.  This is one way.  Wasabi.

3. You like challenges no matter how ridiculous and want to guess the right number of wasabis I’ve hidden throughout the post, that one you just read is included in the count.

Why do I care?

As you do, I care about my blogger community and still see this security hole pretty often.  Also, it’s just a little nugget I can pass along to those of you that may be trying to do more with your web site, but accidentally misstep along the way.  And I care about wasabi because I like sushi.

Protect your queries people

That’s what this post is about.  If you use a database for your own purposes, please protect your queries.  If not, people can do some nasty things using something called SQL Injection.  So let’s set this up using the terribly unoriginal guestbook example.

You have a database table called MyGuestBook.  Your database table has various columns in it, say first name, last name, phone number, etc.  You have a web page that allows someone to put in a first name in a web form and query the database to see if there’s anything that matches that criteria in your database.  So here’s a way to query the database:

//you grabbed the text of whatever the person typed in the form field - wasabi
$firstName = $_POST['user_input_first_name'];
//here you decided to do a database query using whatever the person typed in
$result = mysql_query("SELECT * FROM MyGuestBook WHERE firstName = '". $firstName. "'");

And herein lies the problem.  You’ve just queried the database using whatever they typed in and that’s bad.  Not everyone plays nice, just see this page on SQL Injection, particularly the Examples section.  What to do wasabi?  There are several ways to make whatever the person typed in safe, but here’s one.

$pdo = new PDO('mysql:dbname=your_database;host=localhost', $username, $password);
//don't use whatever the user typed in, use a variable
$stmt = $pdo->prepare('SELECT * FROM MyGuestBook WHERE firstName = :firstName');
//that variable is then assigned to whatever the user typed in, but it's escaped and treated safely
$stmt->execute(array(':firstName' => $firstName));

And that’s about all there is to it.  That should get you started on your way to thinking securely and protecting your queries.  In short, don’t fall victim to something trivial like this that could end up ruining your day.

P.s. You’ve made it this far, so let’s talk about that weird wasabi thing.  Since this is a technical post, I thought I’d try to throw some humor in there to spice things up.  Lame attempt?  Yea, probably.  But who really cares.  So, how many wasabis did you count? wasabi

Disturbingly Common

So you’ve got a web site

Let’s say it’s a blog.  Not one like this site, that is a free wordpress.com account, but a real blog, one you’re paying for each month, hosted somewhere like Bluehost.

And your blog is using a database that you’ve created to do something, maybe say a guestbook or something.  Doing posts are easy.  You wanted to take it to another level.  You’re made to believe that programming simple web pages with databases on the back-end is “that easy.”  Well, it is that easy.  Heck, most come with a Panel or Dashboard where you can set it all up with a few clicks.  It’s also “that easy” to hack if you don’t take some simple precautions.

Your site evolves into something with a database

The reason I chose a blog is because that’s how a lot of people start.  They evolve into “using email” or “adding a database” or something of that nature.  But this applies to any ol’ web site that uses a database, it doesn’t have to be a blog.

After reading this, don’t feel bad, just tell your programmers to fix it.  Of course, if that is you, well, you need to fix it.

I’ve tried to keep this usable to someone non-technical that is trying to run their own blog/site.  Technical people already know about all this, but non-technical people are creating sites left and right these days.  And malicious people are using wonderfully scary tools like Backtrack to exploit them.

A couple of things you need to do

1. Create a very complex password when connecting to your database – I usually recommend something in the order of 16 or more characters with upper and lower case letters, numbers and funny symbols.  Inconvenient?  Sure.  Safer?  Sure.  You wouldn’t believe how common it is to find passwords with just 6 or 8 characters and all letters, maybe one number.  Give John a little while and as one of my security friends says “it’s all over but the cryin’.”

2. Scrub your user’s input and use safe queries.  Here’s what I mean using a pretty lousy guest book example.  This guest book only asks you for your first name, nothing else!  Nice.  Anyhow…

Let’s say you ask someone on an online form for their first name.  And let’s say you insert that into a database.  Here’s what you might initially do.

$firstName = $_POST['user_input_first_name'];
mysql_query("INSERT INTO MyGuestBook (firstName) VALUES ('" . $firstName . "')");

What’s wrong with this?  Since you’re not scrubbing the user’s input to make sure $firstName contains something legitimate, that’s one problem.  But another one is inserting that into the database as-is is very problematic and dangerous. Let’s just say a malicious person could get all the information out of your guestbook without your permission, for instance.

Here’s what you can do instead.  I’m no PHP/MySQL expert, but since that’s pretty common in the blogosphere, I’ve given it a try.

try {
   $pdo = new PDO('mysql:dbname=your_database;host=localhost', $username, $password);
   $pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
   $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
   echo "Connection failed " . $e->getMessage();
}
//Let's assume you didn't have an error, move on
$stmt = $pdo->prepare('INSERT INTO MyGuestBook (firstName) VALUES (:firstName)');
$stmt->execute(array(':firstName' => $firstName));

And let’s say it’s a web site, maybe something with ASP.Net/SqlServer. Another pretty common one.

 Dim connString As String = ConfigurationManager.ConnectionStrings("your_database").ConnectionString
 Dim sqlString As String = ""
 Dim sqlConnection As New SqlConnection(connString)

 sqlString = "insert into [ss].[dbo].[MyGuestBook] (firstName) values (@firstName);"
 Dim sqlCommand As New SqlCommand(sqlString, sqlConnection)

 Dim paramFirstName = New SqlParameter("firstName", SqlDbType.VarChar)
 paramFirstName.Value = inputFromUserCleanedFirstName
 sqlCommand.Parameters.Add(paramFirstName)

 sqlConnection.Open()
 sqlCommand.ExecuteScalar()

Of course, the attackers aren’t just going to stop here with what’s called SqlInjection.  Nah, they’ll be onto other things as soon as you’re an interesting target.  However, the idea here is you are using the power of the database technologies to help protect you from malicious user input.  And more importantly, you’re thinking like a malicious person, one of the best things you can do for yourself.

I genuinely hope this make sense, but let me know if it doesn’t and enjoy the net, safely!

This Is Not About Coffee

This post is not about coffee.  It’s about Java.  But isn’t Java coffee?  Well it is in the U.S., but not in the context of this post.

A couple of people had asked me about that Java security issue they heard on various news channels recently.  Java, like many things on the Internet, could be dangerous…and here’s more or less what I told them about it.  I just thought I’d share it with my reader community while I was at it in case this non techno talk version helps you out.

What is it?

Java is a high-level programming language that is used in many leading web sites today.  Although I don’t do it anymore, I can proudly say I’ve written quite a few Java Beans in my day.

Why are you telling me this?

It has a serious vulnerability that could affect you at home.

What’s the Scott diagnosis?

This can affect you Mac users the same as you Windows users. There’s no reason to panic, but I’d ask you to please open the link below to read more about it and find out what you can do to mitigate the issue at your house. Best case scenario: You don’t have the vulnerability. Worst case scenario: a hacker anywhere in the world could remotely, silently and quickly install software on your computer to do bad stuff. I don’t need to spell out what that means. You get the idea.

Where can I find out more information about this vulnerability?

The Department of Homeland Security has put out what I believe is a helpful and concise summary of the issue along with steps on how to eliminate it. The remediation involves a patch from Oracle (who owns Java).

Here is the link: http://www.us-cert.gov/cas/techalerts/TA13-010A.html

The short of it is this general action plan:

1. Determine if you have Java installed

2. If not, you can stop reading. If yes, determine what version you have installed.

3. If you don’t need Java, uninstall it or at least disable it. If you need it and it’s version 7, patch it.

I figured out I have Java installed. Do I need it?

I can’t help you with that necessarily, but I can tell you that if you have it, it’s likely because you used it at some point. However, it could be that you bought a new PC from Best Buy and it came installed by default. In that case, you may not need it. It just depends. If you use a web site that requires it, it’ll let you know. For instance, at my house, I don’t have Java installed on my computers or on the kids’ computer. For my wife, Java is installed, but disabled. She needs it for a particular web site that she uses, but she doesn’t need it regularly, so it’s disabled. It’s inconvenient, sure, but it’s safer. Oh and generally speaking, if a web site asked me to install it, I do not unless I absolutely have to have the function that web site provides either for business or personal use. I hope that helps.

Why can’t you give me exact step by step instructions?

Ah, I wish I could. But every home PC is different. Each one has a slightly different variation in operating system, Java installation (if it exists at all) and browser type/version that it’s not practical for me to do so. That is why I provide the link above as the experts have already tried to help everyone out to the best extent possible and frankly do a better job than me at communicating it.

Will Java always be a problem?

Of course, but that’s the unfortunate part of working on the Internet. ActiveX (from MicroSoft) can be dangerous. Flash (from Adobe) can be dangerous.  QuickTime (from Apple) can be dangerous.  HTML (from everyone) can be dangerous. In this increasingly digital age, we just all have to be a bit more computer saavy to keep up with what’s installed on our personal devices and take steps to protect ourselves as best we can.  That goes for you non-technical people too!